Secret search system and secret search method

ABSTRACT

A secret search system is configured to generate a search key TDv in which a position of each character of a search character string is specified and set, and to search for, from among a plurality of encrypted tags ETx in which a position of each character of a character-string-to-be-searched is specified and set, an encrypted tag ETx corresponding to the generated se arch key TDv. In particular, the secret search system is configured to search for an encrypted tag ETx including the search key TDv as a partial character string by setting a position t of each character in one of the search key TDv and the encrypted tags ETx, setting a position −t of each character having a sign obtained by inverting a sign of the position tin the other thereof, and cancelling out, during the search, the position t and the position −t.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of PCT International Application No.PCT/JP2018/048531, filed on Dec. 28, 2018, which is hereby expresslyincorporated by reference into the present application.

TECHNICAL FIELD

The present invention relates to a secret search system and a secretsearch method which are configured to search for, from among a pluralityof character-strings-to-be-searched, a character-string-to-be-searchedwhich includes a search character string.

BACKGROUND ART

Secret search is a technology that allows data to be searched while thedata is still encrypted. Currently, cloud services are beginning tobecome widespread, and the use of cloud storage that can be used at lowcost and without much trouble is becoming popular. Meanwhile, there is arisk of information leakage when data including private information,which is sensitive information that is to be handled very carefully, ismanaged in the cloud. Therefore, the data is required to be stored byencrypting the data. Secret search can achieve both security andconvenience even for encrypted data because the search is performedwithout decrypting the data.

In the secret search, the search is implemented by using two encryptedkeywords. The first keyword is a ciphertext of a keyword associated withthe data (hereinafter referred to as “character-string-to-be-searched”),and is called an encrypted tag. The second keyword is a ciphertext ofthe keyword to be searched (hereinafter referred to as “search characterstring”), and is called a search key. When the data is registered, theencrypted data and the encrypted tag are registered in a storage server.At this point, the encrypted tag is held as an encryption index inassociation with the data to be associated or with an identifier of thedata. In the secret search, the search is implemented without exposingdata and keyword information by identifying the encrypted tag matchingthe search key transmitted by a searcher from the encryption indexwithout decrypting the data.

For the secret search, there are known a method in which there isdetermined to be a match when a character-string-to-be-searched and thesearch character string are the same (hereinafter referred to as “exactmatch secret search”), and a method in which there is determined to be amatch when the search character string is included in acharacter-string-to-be-searched (hereinafter referred to as “partialmatch secret search”). In the partial match secret search, it ispossible to determine whether or not there is a match with a partialcharacter string of the encrypted tag, and therefore the partial matchsecret search has a high level of convenience because a fuzzier searchcan be implemented than in the exact match secret search. One method ofimplementing the partial match secret search is to generate a ciphertextfor each partial character string, for example, a character or a word.When a partial character string of the encrypted tag or the search keycan be replaced or separated for further search, the information on thepartial character string may be leaked by an attack, for example, afrequency analysis method. Therefore, there is required a mechanism forpreventing a malicious third party from performing a search not intendedby a registrant or a searcher.

In Patent Literature 1 and Patent Literature 2, there are shown methodscapable of implementing a partial match secret search. However, themethod of Patent Literature 1 uses the same key for generation of theencrypted tag and for generation of the search key, and thereforepermissions are not separable. The method of Patent Literature 2 is moresecure than Patent Literature 1 because different keys can be used forgenerating the encrypted tag and the search key, and a key having adifferent permission can be generated for each searcher. Further, themethod of Patent Literature 2 prevents an unintended search by amalicious third party by embedding a variance in a ciphertext andintroducing a secret key required for a partial match search(hereinafter referred to as “shift secret key”).

In Non Patent Literature 1, there is shown a highly secure encryptionmethod which can be used for partial match secret search. However, inNon Patent Literature 1, there is no description about a method forreducing an amount of search information transmitted from a searcherterminal to a search device by search key conversion like that of PatentLiterature 2. The search key conversion of Patent Literature 2 is nowdescribed below.

As described above, in Patent Literature 2, a highly secure and flexiblepartial match secret search is implemented by separating thepermissions. However, in Patent Literature 2, in order to determinewhether or not the partial character string of the encrypted tag and thesearch key match, it is required to perform processing of matching a topcharacter position in a partial character string of the encrypted tagwith a top character position of the search key. This processing iscalled “search key conversion.” Thus, in Patent Literature 2, it isrequired to perform search key conversion, and depending on the numberof characters of the encrypted tag or search key, the search time may besignificantly increased.

CITATION LIST Patent Literature

[PTL 1] WO 2017/122352 A1

[PTL 2] WO 2016/113878 A1

Non Patent Literature

[NPL 1] Tatsuaki Okamoto and Katsuyuki Takashima, “Fully SecureUnbounded Inner-Product and Attribute-Based Encryption,” Asiacrypt 2012,LNCS 7658, 2012, pp. 349-366

SUMMARY OF INVENTION Technical Problem

As described above, in the search processing described in PatentLiterature 2, the search key conversion processing requires a largeamount of calculations, and therefore there is a problem in that whenthe determination regarding whether or not a partial character string ofthe encrypted tag matches the search key is used often, the search timebecomes longer.

The present invention has been made to solve the problems describedabove, and it is an object of the present invention to obtain a secretsearch system and a secret search method which are capable of speedingup a search time while preventing an unintended search by a maliciousthird party.

Solution to Problem

According to one embodiment of the present invention, there is provideda secret search system including: a search key generation unitconfigured to generate a search key TD_(v) in which a position of eachcharacter of a search character string is specified and set; anencrypted tag generation unit configured to generate encrypted tagsET_(x) in which a position of each character of acharacter-string-to-be-searched is specified and set; and a search unitconfigured to search for, from among the encrypted tags ET_(x), anencrypted tag ET_(x) corresponding to the search key TD_(v), wherein anindex t indicating the position of each character is set in one of anelement included in the search key TD_(v) and an element included in theencrypted tags ET_(x), and an index −t having a sign obtained byinverting a sign of the index t is set in the other of the elementincluded in the search key TD_(v) and the element included in theencrypted tags ET_(x), and wherein the secret search system isconfigured to search for the encrypted tag ET_(x) corresponding to thesearch key TD_(v) by, during the search, adding the index t and theindex −t set in the search key TD_(v) and the encrypted tags ET_(x) tocancel out the index t and the index Δt.

According to one embodiment of the present invention, there is provideda secret search method including: a search key generation step ofgenerating a search key TD_(v) in which a position of each character ofa search character string is specified and set; an encrypted taggeneration step of generating a plurality of encrypted tags ET_(x) inwhich a position of each character of a character-string-to-be-searchedis specified and set; and a search step of searching for, from among theplurality of encrypted tags ET_(x), an encrypted tag ET_(x)corresponding to the search key TD_(v), wherein an index t indicatingthe position of each character is set in one of an element included inthe search key TD_(v) and an element included in the plurality ofencrypted tags ET_(x), and an index −t having a sign obtained byinverting a sign of the index t is set in the other of the elementincluded in the search key TD_(v) and the element included in theplurality of encrypted tags ET_(x), and wherein the encrypted tag ET_(x)corresponding to the search key TD_(v) is searched for by, during thesearch, adding the index t and the index −t set in the search key TD_(v)and the plurality of encrypted tags ET_(x) to cancel out the index t andthe index −t.

Advantageous Effects of Invention

According to the secret search system and the secret search method ofthe present invention, it is possible to speed up the search time whilepreventing the unintended search by the malicious third party.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an explanatory diagram of how an inner product is obtained ininner-product predicate encryption.

FIG. 2 is an explanatory diagram of how an inner product is obtained inthe inner-product predicate encryption.

FIG. 3 is an explanatory diagram of a basic structure of theinner-product predicate encryption.

FIG. 4 is an explanatory diagram of a key technique to be used in apartial match secret search scheme in a first embodiment of the presentinvention.

FIG. 5 is an explanatory diagram of an implementation example of thepartial match secret search scheme in the first embodiment of thepresent invention.

FIG. 6 is an explanatory diagram of an implementation example of thepartial match secret search scheme in the first embodiment of thepresent invention.

FIG. 7 is an explanatory diagram of an implementation example of thepartial match secret search scheme in the first embodiment of thepresent invention.

FIG. 8 is a configuration diagram of a secret search system according tothe first embodiment of the present invention.

FIG. 9 is a configuration diagram of a key generation device in thefirst embodiment of the present invention.

FIG. 10 is a configuration diagram of an encrypted tag generation devicein the first embodiment of the present invention.

FIG. 11 is a configuration diagram of a search key generation device inthe first embodiment of the present invention.

FIG. 12 is a configuration diagram of a search device in the firstembodiment of the present invention.

FIG. 13 is a flowchart of processing of a KG algorithm in the firstembodiment of the present invention.

FIG. 14 is a flowchart of processing of a TagGen algorithm in the firstembodiment of the present invention.

FIG. 15 is a flowchart of processing of a TrapGen algorithm in the firstembodiment of the present invention.

FIG. 16 is a flowchart of processing of a Search algorithm in the firstembodiment of the present invention.

FIG. 17 is a diagram for illustrating a hardware configuration exampleof the key generation device, the encrypted tag generation device, thesearch key generation device, an after-conversion search key generationdevice, and the search device in the first embodiment of the presentinvention.

DESCRIPTION OF EMBODIMENTS First Embodiment

A secret search system according to a first embodiment of the presentinvention is now described with reference to the drawings.

<Description of Notation>

First, description is made of notation used in the followingdescription.

When “A” is a random value or distribution, Expression (1) representsthat “y” is randomly selected from “A” in accordance with thedistribution of “A.” That is, in the following Expression (1), “y” is arandom number.

$\begin{matrix}{y\overset{R}{\longleftarrow}A} & (1)\end{matrix}$

When “A” is a set, Expression (2) represents that “y” is uniformlyselected from “A.” That is, in the following Expression (2), “y” is auniform random number.

$\begin{matrix}{y\overset{U}{\longleftarrow}A} & (2)\end{matrix}$

Expression (3) represents that “z” is set for “y,” “y” is defined by“z,” or “y” is substituted for “z.”

y:=z   (3)

When “a” is a constant, Expression (4) represents that a machine A or analgorithm A outputs “a” for an input x, and Expression (5) represents anexample for a case in which a=1.

A(x)→a   (4)

A(x)→1   (5)

Expression (6) represents the field of an order q.

_(q)   (6)

Vector x^(→) represents a vector representation like that represented bythe following Expression (7) in a finite field F_(q). The notation “→”means that “→” is added above the symbol written before the notation,and represents a vector.

(x₁, . . . , x_(n))∈

_(q) ^(n)   (7)

Expression (8) represents an inner product represented by Expression(10) of two vectors x^(→) and v^(→) represented by Expression (9).

$\begin{matrix}{\overset{\rightarrow}{x} \cdot \overset{\rightarrow}{v}} & (8) \\\begin{matrix}{\overset{\rightarrow}{x} = \left( {x_{1},\ldots\mspace{14mu},x_{n}} \right)} \\{\overset{\rightarrow}{v} = \left( {v_{1},\ldots\mspace{14mu},v_{n}} \right)}\end{matrix} & (9) \\{\sum_{i = 1}^{n}{x_{i}v_{i}}} & (10)\end{matrix}$

The notation “X^(T)” represents a transposed matrix of a matrix X.

Further, a base B and a base B* represented by Expression (11) satisfythe relationship of Expression (12).

$\begin{matrix}\begin{matrix}{{\mathbb{B}}:=\left( {b_{1},\ldots\mspace{14mu},b_{N}} \right)} \\{{\mathbb{B}}^{*}:=\left( {b_{1}^{*},\ldots\mspace{14mu},b_{N}^{*}} \right)}\end{matrix} & (11) \\\begin{matrix}{{\left( {x_{1},\ldots\mspace{14mu},x_{N}} \right)_{\mathbb{B}}:={\sum_{i = 1}^{N}{x_{i}b_{i}}}},} \\{\left( {y_{1},\ldots\mspace{14mu},y_{N}} \right)_{{\mathbb{B}}^{*}}:={\sum_{i = 1}^{N}{y_{i}b_{i}^{*}}}}\end{matrix} & (12)\end{matrix}$

<Description of Outline of First Embodiment>

In the first embodiment, a partial match secret search scheme isimplemented by applying -product predicate encryption.

A method of obtaining the inner product in the inner-product predicateencryption is now described with reference to FIG. 1 and FIG. 2.

As illustrated in FIG. 1, it is assumed that a ciphertext is a vectorx^(→)=(x₁, x₂, . . . , x_(n)) and a key is a vector v^(→)=(v₁, v₂, . . ., v_(n)). The ciphertext vector x^(→) and the key vector v^(→) have thesame number of elements. In this case, in the inner-product predicateencryption, an inner product Σ_(i=1) ^(n) (x_(i)·v_(i)) of the vectorx^(→) and the vector v^(→) is calculated, and the ciphertext isdecrypted by the key. That is, the sum of the inner products ofcorresponding elements of the ciphertext vector x^(→) and the key vectorv^(→) is calculated, and the ciphertext is decrypted by the key.

Further, as illustrated in FIG. 2, like in the case in which theciphertext is the vector x^(→)=(x₁, x₂) and the key is the vectorv^(→)=(v₁, v₂, . . . , v_(n)), the number of elements of the ciphertextvector x^(→) and the key vector v^(→) may be different from each other.In this case as well, the sum of the inner products of correspondingelements of the ciphertext vector x^(→) and the key vector v^(→) iscalculated, and the ciphertext is decrypted by the key. In the case ofFIG. 2, the elements x₁ and x₂ of the vector x^(→) correspond to theelements v₁ and v₂ of the vector v^(→), respectively, and therefore thesum of the inner products of each of those elements is calculated.Meanwhile, regarding the elements v₃, . . . v_(n) of the vector v^(→),there are no corresponding elements of the vector x^(→), and thereforean inner product is not calculated.

Next, a basic configuration of the inner-product predicate encryption isdescribed with reference to FIG. 3.

In general, in the inner-product predicate encryption, a secret value s₀and a variance s_(t) for each integer t of t∈Iv are used. The secretvalue s₀ and the variance s_(t) have a relationship of “s₀=Σ_(t⊂IvS)_(t) .” In the relationship, “t” is an index and “Iv” is a set ofindices t.

The key includes an element k*₀, which is a vector in a base B*₀ inwhich the secret value s₀ is set, and for each integer t of t∈Iv, anelement k*_(t), which is a vector in the base B*₀ in which the variances_(t), an attribute value v_(t), and the index t are set. Meanwhile, theciphertext includes an element c₀, which is a vector in the base B₀corresponding to the base B*₀, and for each integer t of t∈Ix, anelement c_(t), which is a vector in the base B*₀ corresponding to thebase B* in which an attribute value x_(t), and the index t are set.Here, “Ix” is a set of the indices t.

Then, the inner product of the element k*₀ and the element co iscalculated, and for each integer t of t∈Iv, the inner product of theelement k*_(t) included in the key and the element c_(t) included in theciphertext is calculated. For each integer t of t∈Iv, the variance s_(t)is obtained when the attribute value v_(t) set in the element k*_(t) andthe attribute value x_(t) set in the element c_(t) correspond to eachother. In this case, s₀=Σ_(t∈IvS) _(t) , and therefore when the variances_(t) set in all of the elements k*_(t) of t∈Iv is obtained, the secretvalue so set in the element k*₀ is obtained. Then, in this case, theciphertext can be decrypted by the key.

As described above, an index t is set for the element k*_(t) and theelement c_(t). Therefore, even when an attribute value v_(i) and anattribute value x_(j) correspond to each other for the integers i and jwhen i≠j, a variance s_(i) is not obtained even when the inner productof the element k*_(i) and the element c_(t) is calculated. Here, theindex t indicates the position of each character in acharacter-string-to-be-searched and a search character string.

Next, a key technique of the partial match secret search scheme in thefirst embodiment is described with reference to FIG. 4.

In the basic configuration of the inner-product predicate encryptiondescribed above, an unintended search by a malicious third party isprevented by each element μ(t, −1) and σ(1, t) relating to the index tof the element c_(t) of the ciphertext and the element k*_(t) of thekey. Meanwhile, it is not possible to calculate the variance s_(i)unless the elements share the same index t, and therefore it isdifficult to implement the partial match secret search without anadditional mechanism and additional calculation.

Therefore, in the first embodiment, the method of setting the index t ischanged. As illustrated in FIG. 4, first, a variance τ_(t) is newlyused. That is, in the first embodiment, in the inner-product predicateencryption, the secret value s₀, a first variance s_(t) for each integert of t∈Iv, and a second variance τ_(t) for each integer t of t∈Iv areused. The secret value so and the variance s_(t) have a relationship of“s₀=Σ_(t∈IvS) _(t) .” Further, the variance τ_(t) for each integer tsatisfies the relationship of “0=Σ_(t∈Ivτ) _(t) .”

Next, in the first embodiment, γβ^(−t) is set for the element c_(t) ofthe ciphertext in place of σ(1, t). Further, γ′β′τ_(t) is set for theelement k*_(t) of the key in place of μ(t, −1). That is, in the firstembodiment, the key includes the element k*₀ and the element k*_(t). Theelement k*₀ is a vector in the base B*₀ in which the secret value s₀ isset. The element k*_(t) is a vector in the base B* in which the firstvariance s_(t), the second variance τ_(t), the attribute value v_(t),and the index t are set for each integer t of t∈Iv. Meanwhile, theciphertext includes the element c₀ and the element c_(t). The element c₀is a vector in the base B₀ corresponding to the base B*₀. The elementc_(t) is a vector in the base B corresponding to the base B* in whichthe attribute value x_(t) and the index −t are set for each integer t oft∈Ix.

In this case, it is assumed that β is a fixed element of F_(q) having asufficiently large order, and that γand γ′ are random numbers. However,the sign of the exponent of β may be switched between the ciphertext andthe key. That is, in the above description, the index t is set for thekey, which is the search character string, and the index −t is set forthe ciphertext, which is the character-string-to-be-searched. However,the present invention is not limited to that case, and the index −t maybe set for the key, which is the search character string, and the indext may be set for the ciphertext, which is thecharacter-string-to-be-searched. Further, γand γ′ may be omitted.Moreover, β may be disclosed, but β may also be shared in advance assecret information by using a secure communication path between aregistrant and a searcher.

Therefore, for example, when a partial match secret search is performedbetween a ciphertext and a key sharing the same index t, the innerproduct is calculated based on the element c_(t) of each ciphertext andthe element k*_(t) of each key for each index t. As a result, theexponent of the elements of β for each index t cancel each other out,and γγ′τ_(t) can be extracted. At this time, 0=γγ′Σ_(t∈Ivτ) _(t) , andhence the terms of τ_(t) cancel each other out, and the remainingvariance s_(i) can be obtained.

Next, there is described a case in which the partial match secret searchis performed by shifting the index of the elements of the ciphertext byα with respect to the index t of the elements of the key. That is, inthis case, the inner product of the element c_(t+α) of the ciphertextand the element k*_(t) of the key is calculated, and γγ′β^(−α)τ_(t) canbe extracted for each index t. As a result, 0=γγ′β^(−α)Σ_(t∈Ivτ) _(t) ,and hence the terms of τ_(t) cancel each other out, and the remainingvariance s_(i) can be obtained.

In other words, the determination of a match can be performed only whenall the elements of the key are shifted by a certain width α. This meansthat it is possible to implement the partial match secret search withoutperforming search key conversion processing, and that an unintendedsearch by replacing or separating characters can be prevented.

As described above, in the first embodiment, the first variance s_(t)and the second variance τ_(t) are used in the inner-product predicateencryption. Further, the index t is set in one of the key, which is thesearch character string, and the ciphertext, which is thecharacter-string-to-be-searched, and the index −t having an invertedsign is set in the other of the key and the ciphertext. Therefore, whenthe inner product is calculated, the index t can be canceled out. As aresult, the search key conversion processing required in PatentLiterature 2 is not required, and the search time can be shortened.Further, it is possible to prevent an unintended search by a maliciousthird party.

An implementation example of the partial match secret search scheme inthe first embodiment is now described with reference to FIG. 5.

As illustrated in FIG. 5, encrypted tags ET_(x) generated by encryptingthe character-string-to-be-searched, which is a search tag “ABCDE,” arestored in a database. At this time, it is assumed that the characterstring “CD” is given as the search character string.

In this case, ciphertext elements c_(t) having each character of thecharacter-string-to-be-searched “ABCDE” as an attribute value x_(t) aregenerated. That is, an attribute value A is set in an element c₁ributevalue B is set in an element c₂, an attribute value C is set in anelement c₃, an attribute value D is set in an element c₄, and anattribute value E is set in an element c₅. In this way, in the encryptedtags ET_(x), the position of each character of thecharacter-string-to-be-searched is specified and set.

Meanwhile, the search key TD_(v) in which each character of thecharacter string “CD” is an attribute value v_(t) is generated. That is,the attribute value C is set in the element k*₁, and the attribute valueD is set in the element k*₂. In this way, in the search key TD_(v), theposition of each character of the search character string is specifiedand set.

In the search processing, as illustrated in FIG. 5, the determinationregarding whether or not there is a match is performed by decrypting theencrypted tags ET_(x) in order by shifting the element k*_(t) of thesearch key TD_(v) in order one by one. In this implementation example,there is determined to be a match when the elements c₃ and c₄ aredecrypted by the elements k*₁ and k*₂.

Next, another implementation example of the partial match secret searchscheme in the first embodiment is now described with reference to FIG.6.

It is assumed that encrypted tags ET_(x) generated by encrypting thecharacter-string-to-be-searched, which is a search tag “ABCDE,” arestored in a database, and that the character string “BD” is given as thesearch character string.

In this case, ciphertext elements c_(t) having each character of thecharacter-string-to-be-searched “ABCDE” as an attribute value x_(t) aregenerated. That is, an attribute value A is set in an element ci, anattribute value B is set in an element c₂, an attribute value C is setin an element c₃, an attribute value D is set in an element c₄, and anattribute value E is set in an element c₅.

Meanwhile, the search key TD_(v) in which each character of thecharacter string “BD” is an attribute value v_(t) is generated. That is,the attribute value B is set in the element k*₁, and the attribute valueD is set in the element k*₂.

In this implementation example, for example, as an unintended search,there is considered a case in which the elements c₂ and c₄ are decryptedby illegitimately separating the elements k*₁ and k*₂. At this time, theattribute value of each element matches, and hence calculating the innerproduct cancels out the v_(t) and x_(t) components to give a value of 0.Meanwhile, the term of τ_(t) extracted as a result of calculating theinner product is γγ′(β⁻¹τ₁+β⁻²τ₂)≠0, meaning that the components are notcanceled out, and therefore the result of partial match secret search isa “non-match.”

Next, yet another implementation example of the partial match secretsearch scheme in the first embodiment is now described with reference toFIG. 7.

It is assumed that encrypted tags generated by encrypting thecharacter-string-to-be-searched, which is a search tag “ABCDE,” arestored in a database, and that the character string “BA” is given as thesearch character string.

In this case, ciphertext elements c_(t) having each character of thecharacter-string-to-be-searched “ABCDE” as an attribute value x_(t) aregenerated. That is, an attribute value A is set in an element ci, anattribute value B is set in an element c₂, an attribute value C is setin an element c₃, an attribute value D is set in an element c4, and anattribute value E is set in an element c₅.

Meanwhile, the search key in which each character of the characterstring “BA” is an attribute value v_(t) is generated. That is, theattribute value B is set in the element k*₁, and the attribute value Ais set in the element k*₂.

In this implementation example, for example, as an unintended search,there is considered a case in which the elements c₁ and c₂ are decryptedby illegitimately replacing the elements k*₁ and k*₂. At this time, theattribute value of each element matches, and hence calculating the innerproduct cancels out the v_(t) and x_(t) components to give a value of 0.Meanwhile, the term of τ_(t) extracted as a result of calculating theinner product is γγ′(β⁻¹τ₁+β¹τ₂)≠0, meaning that the components are notcanceled out, and therefore the result of partial match secret search isa “non-match.”

In this way, in the first embodiment, as illustrated in FIG. 5, adetermination of a match is possible only when all of the elements ofthe key are shifted by a certain width α. Meanwhile, in the case of anunintended search, for example, the separation of the characters asillustrated in FIG. 6 and the replacement of characters as illustratedin FIG. 7, the determination of a match becomes impossible. As a result,an unintended search by a malicious third party can be prevented.

<Description of Configuration of Secret Search System According to FirstEmbodiment>

Before a configuration of a secret search system 10 according to thefirst embodiment is described, a basic configuration of the partialmatch secret search scheme in the first embodiment is described.

The partial match secret search scheme used by the secret search system10 according to the first embodiment includes a KG algorithm, a TagGenalgorithm, a TrapGen algorithm, and a Search algorithm.

In the KG algorithm, a security parameter λ is input and a public key pkand a secret key sk are output.

The TagGen algorithm is a probabilistic algorithm in which the publickey pk and an attribute vector x^(→) are input and an encrypted tagET_(x) is output.

The TrapGen algorithm is a probabilistic algorithm in which the publickey pk, the secret key sk, and a predicate vector v^(→) are input, and asearch key TD_(v) is output.

The Search algorithm is a deterministic algorithm in which the publickey pk, the encrypted tag ET_(x), and the search key TD_(v) are input,and a “0” indicating that there has been a hit in the search or a “1”indicating that there has not been a hit in the search is output.

The secret search system 10 according to the first embodiment is nowdescribed with reference to FIG. 8.

The secret search system 10 illustrated in FIG. 8 generates the searchkey TD_(v) in which the position of each character of the searchcharacter string is specified and set. Further, the secret search system10 generates a plurality of the encrypted tags ET_(x) in which theposition of each character of a character-string-to-be-searched isspecified and set. The secret search system 10 searches for theencrypted tag ET_(x) corresponding to the generated search key TD_(v).At this time, as described above, the secret search system 10 sets forthe search key TD_(v) an index t indicating the position of eachcharacter, and sets for the encrypted tags ET_(x) an index −t having asign obtained by inverting a sign of the index t. Therefore, during asearch, by adding the index t and the index −t set for the search keyTD_(v) and the encrypted tag ET_(x), the positions set in both of thoseindices are canceled out, and an encrypted tag ET_(x) including thesearch key TD_(v) as the partial character string is searched for.

As illustrated in FIG. 8, the secret search system 10 includes a keygeneration device 100, an encrypted tag generation device 200, a searchkey generation device 300, and a search device 500.

In this case, the key generation device 100, the encrypted taggeneration device 200, the search key generation device 300, and thesearch device 500 are separate devices, but two or more of those devicesmay be configured as one device. Therefore, the terms “key generationdevice 100,” “encrypted tag generation device 200,” “search keygeneration device 300,” and “search device 500” may also be read as “keygeneration unit,” “encrypted tag generation unit,” “search keygeneration unit,” and “search unit,” respectively, and may each serve asa constituent element of one or more devices.

The key generation device 100 is configured to execute the KG algorithmby using the security parameter λ as an input to output the public keypk, the secret key sk, and a fixed value β. The security parameter λ isinput by, for example, an administrator of the secret search system 10on an input device connected to an input interface of the secret searchsystem 10.

The encrypted tag generation device 200 is configured to execute theTagGen algorithm by using the public key pk, the attribute vector x^(→),and the fixed value β as inputs to generate an encrypted tag ETX. Theattribute vector x^(→) is input by, for example, the administrator ofthe secret search system 10 or a user of the encrypted tag generationdevice 200 on the input device connected to the input interface of thesecret search system 10.

The search key generation device 300 is configured to execute theTrapGen algorithm by using the public key pk, the secret key sk, thepredicate vector v^(→), and the fixed value β as inputs to generate thesearch key TD_(v). The predicate vector v^(→) is input by, for example,the administrator of the secret search system 10 or the user of thesearch key generation device 300 on the input device connected to theinput interface of the secret search system 10.

The search device 500 is configured to execute the Search algorithm byusing the public key pk, an encrypted tag ET_(x), and the search keyTD_(v) as inputs to search for an encrypted tag ET_(x) including thesearch key TD_(v) as the partial character string. The search device 500outputs a “0” indicating that there has been a hit in the search or a“1” indicating that there has not been a hit in the search is output.

Next, a configuration of the key generation device 100 in the firstembodiment is described with reference to FIG. 9.

As illustrated in FIG. 9, the key generation device 100 includes aninformation acquisition unit 110, a base generation unit 120, a keygeneration unit 140, and a key output unit 150.

The information acquisition unit 110 is configured to acquire thesecurity parameter λ input from the input device connected to the secretsearch system 10.

The base generation unit 120 is configured to generate, based on thesecurity parameter k, the base B₀, the base B*₀, the base B, and thebase B*, which are bases for implementing the partial match secretsearch scheme. Further, the base generation unit 120 generates aparameter “param.” The method of generating those bases and theparameter is described later.

The key generation unit 140 is configured to use the base Bo, the baseB, and the parameter “param” to generate the public key pk. Further, thekey generation unit 140 uses the base B*₀ and the base B* to generatethe secret key sk. Moreover, the key generation unit 140 generates thefixed value β. The method of generating the public key pk, the secretkey sk, and the fixed value β is described later.

The key output unit 150 is configured to disclose the public key pkgenerated by the key generation unit 140. Further, the key output unit150 outputs the secret key sk generated by the key generation unit 140to the search key generation device 300. Moreover, the key output unit150 outputs the fixed value β generated by the key generation unit 140to the encrypted tag generation device 200 and the search key generationdevice 300. At this time, the fixed value β may be disclosed, or may beoutput as secret information to the encrypted tag generation device 200and the search key generation device 300 by using a secure communicationpath.

Next, a configuration of the encrypted tag generation device 200 in thefirst embodiment is described with reference to FIG. 10.

As illustrated in FIG. 10, the encrypted tag generation device 200includes an information acquisition unit 210, a tag generation unit 220,and an encrypted tag output unit 230.

The information acquisition unit 210 is configured to acquire the publickey pk and the fixed value β from the key generation device 100, andalso to acquire the attribute vector x^(→) input from the input deviceconnected to the secret search system 10.

The tag generation unit 220 is configured to use the public key pk, thefixed value β, and the attribute vector x^(→) to generate an encryptedtag ET_(x) including one or more tag vectors c_(t) in the base B. Thetag generation unit 220 includes a random number generation unit 221 andan element generation unit 222. Operation of each of the random numbergeneration unit 221 and the element generation unit 222 is describedlater.

The encrypted tag output unit 230 is configured to output the encryptedtag ET_(x) to the search device 500.

Next, a configuration of the search key generation device 300 in thefirst embodiment is described with reference to FIG. 11.

As illustrated in FIG. 11, the search key generation device 300 includesan information acquisition unit 310, a key generation unit 320, and akey output unit 330.

The information acquisition unit 310 is configured to acquire the publickey pk, the secret key sk, and the fixed value β from the key generationdevice 100, and also to acquire the predicate vector v^(→) from theinput device connected to the secret search system 10.

The key generation unit 320 is configured to use the public key pk, thesecret key sk, the fixed value β, and the predicate vector v^(→) togenerate a search key TD_(v) in which the position of each character ofthe character string is specified and set. Here, the key generation unit320 generates a search key TD_(v) including the one or more searchvectors k*_(t) in the base B*. The key generation unit 320 includes arandom number generation unit 321, a secret value generation unit 322,and an element generation unit 323. Operation of each of the randomnumber generation unit 321, the secret value generation unit 322, andthe element generation unit 323 is described later.

The key output unit 330 is configured to output the search key TD_(v)generated by the key generation unit 320 to the search device 500.

Next, a configuration of the search device 500 in the first embodimentis described with reference to FIG. 12.

As illustrated in FIG. 12, the search device 500 includes an informationacquisition unit 510, a search determination unit 520, and a resultoutput unit 530.

The information acquisition unit 510 is configured to acquire the publickey pk from the key generation device 100. Further, the informationacquisition unit 510 acquires the encrypted tag ET_(x) from theencrypted tag generation device 200. Moreover, the informationacquisition unit 510 acquires the search key TD_(v) from the search keygeneration device 300.

The search determination unit 520 is configured to search for, fromamong a plurality of encrypted tags ET_(x) which are generated by theencrypted tag generation device 200 and in which the position of eachcharacter of a character string is specified and set, for each characterset in the search key TD_(v) generated by the search key generationdevice 300, an encrypted tag ET_(x) having a match between the characterand the character set at the position specified for the character. Inthis case, the search determination unit 520 determines whether or notthere is a hit in the search by using the public key pk and the searchkey TD_(v) to decrypt the encrypted tags ET_(x). That is, the searchdetermination unit 520 searches for an encrypted tag ET_(x)corresponding to the search key TD_(v) generated by the search keygeneration device 300 from among the plurality of encrypted tags ET_(x)generated by the encrypted tag generation device 200.

The result output unit 530 is configured to output a “0” indicating thatthere has been a hit in the search or a “1” indicating that there hasnot been a hit in the search.

<Description of Operation of Secret Search System According to FirstEmbodiment>

Operation of the secret search system 10 according to the firstembodiment is now described with reference to FIG. 13 to FIG. 16.

[Description of Processing of KG Algorithm]

First, the processing of the KG algorithm is described with reference toFIG. 13. As described above, the KG algorithm is executed by the keygeneration device 100. The KG algorithm corresponds to a key generationstep in a secret search method according to the first embodiment.Further, the KG algorithm corresponds to key generation processing in asecret search program in the first embodiment.

[Step S101: Information Acquisition Processing]

In Step S101, the information acquisition unit 110 acquires the securityparameter λ. The security parameter λ is input by, for example, theadministrator of the secret search system 10 on the input device.

[Step S102: Base Generation Processing]

In Step S102, the base generation unit 120 calculates the followingExpression (13) by using the security parameter λ as an input togenerate the base B₀, the base B*₀, a base B₁, a base B*₁, and theparameter “param” of a dual pairing vector space. In the followingdescription, “base B₁” and “base B*₁” are also written as “base B” and“base B*,” respectively. Further, the fixed value “β” is generated asthe element of F_(q) having a sufficiently large order.

$\begin{matrix}{{{\left. {\left. {\left( {{param},\left( {{\mathbb{B}}_{0},{\mathbb{B}}_{0}^{*}} \right),\left( {{\mathbb{B}}_{1},{\mathbb{B}}_{1}^{*}} \right)} \right)\overset{R}{\longleftarrow}{\mathcal{G}_{ob}\left( {1^{\lambda},{N_{0} = {{5N_{1}} = {3 + n_{1} + n_{2} + n_{3}}}}} \right)}} \right),\mspace{79mu}{\mathcal{G}_{ob}\left( {1^{\lambda},N_{0},N_{1}} \right)}} \right):\mspace{79mu}{param}_{\mathbb{G}}}:={\left( {q,{\mathbb{G}},{\mathbb{G}}_{T},g,e} \right)\overset{R}{\longleftarrow}{\mathcal{G}_{bpg}\left( 1^{\lambda} \right)}}},\mspace{79mu}{\psi\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{\times}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},\mspace{79mu}{{{for}\mspace{14mu} t} = 0},1,\mspace{79mu}{{param}_{{\mathbb{V}}_{t}}:={\left( {q,{\mathbb{V}}_{t},{\mathbb{G}}_{T},{\mathbb{A}}_{t},e} \right)\overset{R}{\longleftarrow}{\mathcal{G}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{\mathbb{G}}} \right)}}},\mspace{79mu}{X_{t} = {\begin{pmatrix}{\overset{\rightarrow}{\chi}}_{t,1} \\\vdots \\{{\overset{\rightarrow}{\chi}}_{t,}N_{t}}\end{pmatrix}:={\left( {\chi_{t},i,j} \right)_{i,j}\overset{U}{\longleftarrow}{{GL}\left( {N_{t},{\mathbb{F}}_{q}} \right)}}}},\mspace{79mu}{\begin{pmatrix}{\overset{\rightarrow}{\chi}}_{t,1} \\\vdots \\{{\overset{\rightarrow}{\chi}}_{t,}N_{t}}\end{pmatrix}:={\left( \nu_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}},\mspace{79mu}{b_{t,i}:={\sum_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{t,j}}}},{{\mathbb{B}}_{t}:=\left( {b_{t,1},\ldots\mspace{14mu},b_{t,N_{t}}} \right)},\mspace{79mu}{b_{t,i}^{*}:={\sum_{j = 1}^{N_{t}}{\nu_{t,i,j}a_{t,j}}}},{{\mathbb{B}}_{t}^{*}:=\left( {b_{t,1}^{*},\ldots\mspace{14mu},b_{t,N_{t}}^{*}} \right)},\mspace{79mu}{{param}:=\left( {\left\{ {param}_{{\mathbb{V}}_{t}} \right\}_{{t = 0},1},g_{T}} \right)},\mspace{79mu}{{return}\mspace{14mu}{param}},\left\{ {{\mathbb{B}}_{0},{\mathbb{B}}_{0}^{*}} \right\},{\left\{ {{\mathbb{B}}_{1},{\mathbb{B}}_{1}^{*}} \right\}.}} & (13)\end{matrix}$

In Expression (13), G_(bpg) is a function for generating a bilinearpairing group, and G_(dpvs) is a function for generating a dual pairingvector space.

[Step S104: Public Key Generation Processing]

In Step S104, the key generation unit 140 generates a partial baseB{circumflex over ( )}₀ of the base B₀ generated in Step S102 and apartial base B{circumflex over ( )} of the base B, as represented by thefollowing Expression (14).

$\begin{matrix}{\mspace{79mu}{{\hat{\mathbb{B}}}_{0}:=\left( {b_{0,1},b_{0,3},{{b_{0,5}\text{?}\mspace{79mu}\hat{\mathbb{B}}}:={\left( {b_{1,1},b_{1,2},b_{1,3},b_{1,{3 + n_{1} + n_{2} + 1}},\ldots\mspace{14mu},b_{1,{3 + n_{1} + n_{2} + n_{3}}}} \right)\text{?}\text{indicates text missing or illegible when filed}}}} \right.}} & (14)\end{matrix}$

The key generation unit 140 sets the partial bases B{circumflex over( )}₀ and B{circumflex over ( )} and the parameter “param” generated inStep S102 as the public key pk.

[Step S105: Secret Key Generation Processing]

In Step S105, the key generation unit 140 generates a partial baseB{circumflex over ( )}*₀ of the base B*₀ generated in Step S102 and apartial base B{circumflex over ( )}* of the base B*, as represented bythe following Expression (15). The notation “{circumflex over ( )}”means that {circumflex over ( )} is added above the symbol writtenbefore the notation.

$\begin{matrix}{{{\hat{\mathbb{B}}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,5}^{*}} \right)},{{\hat{\mathbb{B}}}^{*}:=\left( {b_{1,1}^{*},b_{1,2}^{*},b_{1,3}^{*},b_{1,{3 + n_{1} + n_{2} + 1}}^{*},\ldots\mspace{14mu},b_{1,{3 + n_{1} + n_{2}}}^{*}} \right)}} & (15)\end{matrix}$

The key generation unit 140 sets the partial base B{circumflex over( )}*₀ and the part ial base B{circumflex over ( )}* as the secret keysk.

[Step S107: Key Output Processing]

In Step S107, the key output unit 150 outputs the public key pkgenerated in Step S104 to a server for disclosure, for example, todisclose the public key pk. Further, the key output unit 150 outputs, ina manner maintaining secrecy, the secret key sk generated in Step S105to the search key generation device 300. Moreover, the key output unit150 outputs the fixed value β generated in Step S102 to the encryptedtag generation device 200 and the search key generation device 300. Atthis time, the fixed value β may be output to the encrypted taggeneration device 200 and the search key generation device 300 bydisclosing the fixed value β, or may be output as secret information tothe encrypted tag generation device 200 and the search key generationdevice 300 by using a secure communication path.

[Description of Processing of TagGen Algorithm]

Next, processing of the TagGen algorithm in the first embodiment isdescribed with reference to FIG. 14. As described above, the TagGenalgorithm is executed by the encrypted tag generation device 200. TheTagGen algorithm corresponds to an encrypted tag generation step in thesecret search method according to the first embodiment. Further, theTagGen algorithm corresponds to encrypted tag generation processing inthe secret search program in the first embodiment.

[Step S201: Information Acquisition Processing]

In Step S201, the information acquisition unit 210 acquires the publickey pk disclosed by the key generation device 100. The informationacquisition unit 210 also acquires the fixed value β output by the keygeneration device 100.

Further, the information acquisition unit 210 acquires the attributevector x^(→) input on the input device by the user of the encrypted taggeneration device 200, for example. The attribute vector x^(→) isrepresented by the following expression.

Attribute vector x^(→):={(t, x _(t))|t∈Ix⊂{1, . . . }}

In the expression, Ix is a set of indices. For example, as describedwith reference to FIG. 5 to FIG. 7, each character of the characterstring serving as the search tag is set in each element x_(t) of theattribute vector x^(→) .

[Step S202: Random Number Generation Processing]

In Step S202, the random number generation unit 221 generates a randomnumber in the manner represented by Expression (16).

$\begin{matrix}{\gamma,\omega,\overset{\sim}{\omega},\zeta,\sigma_{t},\varphi_{0},\varphi_{t - 1},\ldots\mspace{14mu},{{{\varphi_{t,n_{3}}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\mspace{14mu}{for}\mspace{14mu} t} \in {Ix}}} & (16)\end{matrix}$

[Step S203: Tag Element Generation Processing]

In Step S203, the element generation unit 222 generates, as representedby Expression (17), a tag vector co, a tag vector c_(t) for each integert of t∈Ix, and a tag vector c_(T) by using the public key pk and theattribute vector x^(→) acquired in Step S201 and the random numbergenerated in Step S202 as inputs. In the expression, β is a fixedelement of F_(q) having a sufficiently large order.

$\begin{matrix}{{c_{0}:=\left( {\overset{\sim}{\omega},0,\zeta,0,\varphi_{0}} \right)_{{\mathbb{B}}_{0}}},{c_{t}:=\left( {\overset{\overset{1}{︷}}{{\gamma\beta}^{- 1}},\overset{\overset{1}{︷}}{\omega\; x_{t}},\overset{\overset{1}{︷}}{\overset{\sim}{\omega}},\overset{\overset{n_{1}}{︷}}{0^{n_{1}}},\overset{\overset{n_{2}}{︷}}{0^{n_{2}}},\overset{\overset{n_{3}}{︷}}{\varphi_{t,1},\ldots\mspace{14mu},\varphi_{t,n_{3}}}} \right)_{\mathbb{b}}},{c_{T}:=g_{T}^{\zeta}}} & (17)\end{matrix}$

[Step S204: Tag Output Processing]

In Step S204, the encrypted tag output unit 230 outputs the encryptedtag ET_(x) to the search device 500. The encrypted tag ET_(x) includes,as elements, a set Ix of the indices acquired in Step S201, and the tagvector c₀, the tag vector c_(t) for each integer t of t∈Ix, and the tagvector c_(T) generated in Step S203.

[Description of Processing of TrapGen Algorithm]

Next, processing of the TrapGen algorithm in the first embodiment isdescribed with reference to FIG. 15. As described above, the TrapGenalgorithm is executed by the search key generation device 300. TheTrapGen algorithm corresponds to a search key generation step in thesecret search method according to the first embodiment. Further, theTrapGen algorithm corresponds to search key generation processing in thesecret search program in the first embodiment.

[Step S301: Information Acquisition Processing]

In Step S301, the information acquisition unit 310 acquires the publickey pk disclosed by the key generation device 100 and the secret key skoutput by the key generation device 100. The information acquisitionunit 310 also acquires the fixed value β output by the key generationdevice 100.

Further, the information acquisition unit 310 acquires the predicatevector v^(→) input on the input device by the user of the search keygeneration device 300, for example. The predicate vector v^(→) isrepresented by the following expression.

Predicate vector v^(→):={(t, v_(t))|t∈Iv⊂{1, . . . }}

In the expression, Iv is a set of indices. For example, as describedwith reference to FIG. 5 to FIG. 7, each character of the characterstring serving as the search character string is set in each elementv_(t) of the predicate vector v^(→).

[Step S302: Random Number Generation Processing]

In Step S302, the random number generation unit 321 generates a randomnumber in the manner represented by Expression (18). However, unlikes_(t), τ_(t) is generated so as to satisfy 0=Σ_(t∈Ivτ) _(t) .

$\begin{matrix}{\mspace{79mu}{{\gamma^{\prime},s_{t},\delta,\eta_{0},\eta_{t,1},\ldots\mspace{14mu},{{{\eta_{t,n_{2}}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\mspace{14mu}{for}\mspace{14mu} t} \in {Iv}}}\mspace{79mu}{t_{0} \in I}\mspace{79mu}{{{\tau_{t}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\mspace{14mu}{for}\mspace{14mu} t} \in {{Iv}\backslash\left\{ {{t_{0}\text{?}\mspace{79mu}\tau_{t_{0}}}:={- {\sum\limits_{t \in {{Iv}\backslash{\{ t_{0}\}}}}{\tau_{t}\text{?}\text{indicates text missing or illegible when filed}}}}} \right.}}}} & (18)\end{matrix}$

[Step S303: Secret Value Generation Processing]

In Step S303, the secret value generation unit 322 generates a secretvalue s₀=Σ_(t∈IvS) _(t) by using the random number s_(t) for eachinteger t of t∈Iv generated in Step S202 as an input.

[Step S304: Key Element Generation Processing]

In Step S304, the element generation unit 323 generates, as representedby Expression (19), a search vector k*₀ and a search vector k*_(t) foreach integer t of t∈Iv by using the public key pk, the secret key sk,and the predicate vector v^(→) acquired in Step S301, the random numbergenerated in Step S302, and the secret value s₀ generated in Step S303as inputs. In the expression, β is a fixed element of F_(q) having asufficiently large order.

$\begin{matrix}{{{k_{0}^{*}:} = \left( {{- s_{0}},0,1,\eta_{0},0} \right)_{{\mathbb{B}}_{0}}}{k_{t}^{*}:=\left( {\overset{\overset{1}{︷}}{\gamma^{\prime}\beta^{t}\tau_{t}},\overset{\overset{1}{︷}}{\delta\; v_{t}},\overset{\overset{1}{︷}}{s_{t}},\overset{\overset{n_{1}}{︷}}{0^{n_{1}}},\overset{\overset{n_{2}}{︷}}{\eta_{t,1},\ldots\mspace{14mu},\eta_{t,n_{2}}},\overset{\overset{n_{3}}{︷}}{0^{n_{3}}}} \right)_{{\mathbb{B}}^{*}}}} & (19)\end{matrix}$

[Step S305: Key Output Processing]

In Step S305, the key output unit 330 outputs the search key TD_(v) tothe search device 500. The search key TD_(v) includes, as elements, aset Iv of the indices acquired in Step S301 and the search vector k*₀and the search vector k*_(t) for each integer t of t∈Iv generated inStep S304.

[Description of Processing of Search Algorithm]

Next, processing of the Search algorithm in the first embodiment isdescribed with reference to FIG. 16. As described above, the Searchalgorithm is executed by the search device 500. The Search algorithmcorresponds to a search step in the secret search method according tothe first embodiment. Further, the Search algorithm corresponds tosearch processing in the secret search program in the first embodiment.

[Step S501: Information Acquisition Processing]

In Step S501, the information acquisition unit 510 acquires the publickey pk disclosed by the key generation device 100. The informationacquisition unit 510 also acquires the encrypted tag ET_(x) output bythe encrypted tag generation device 200. Further, the informationacquisition unit 510 acquires the search key TD_(v) output by the searchkey generation device 300.

[Step S502: Searchable Determination Processing]

In Step S502, the search determination unit 520 determines whether ornot the set Iv of the indices included in the search key TD_(v) acquiredin Step S501 is a subset of the set Ix of the indices included in theencrypted tag ET_(x) acquired in Step S501.

When the set Iv of indices is a subset of the set Ix of indices, thesearch determination unit 520 determines that the set Iv of indices issearchable, and the processing advances to Step S503. Meanwhile, whenthe set Iv of indices is not a subset of the set Ix of indices, thesearch determination unit 520 determines that the set Iv of indices isnot searchable, and the processing advances to Step S507.

[Step S503: Decryption Processing]

In Step S503, as represented by Expression (20), the searchdetermination unit 520 performs a pairing operation between the tagincluded in the encrypted tag ET_(x) and the search vector included inthe search key TD_(v), to thereby calculate a session key K.

$\begin{matrix}{K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod\limits_{t \in {Iv}}{e\left( {c_{t},k_{t}^{\star}} \right)}}}} & (20)\end{matrix}$

That is, the search determination unit 520 performs processing ofdecrypting the encrypted tag ET_(x) by using the public key pk and thesearch key TD_(v) based on a method referred to as “inner-productpredicate encryption.”

[Step S504: Search Determination Processing]

In Step S504, the search determination unit 520 determines whether ornot the session key K calculated in Step S503 is the same as the tagvector c_(T) included in the encrypted tag ET_(x).

When the search determination unit 520 determines that the session key Kis the same as the tag vector c_(T), the processing advances to StepS505. Meanwhile, when the search determination unit 520 determines thatthe session key K is not the same as the tag vector c_(T), theprocessing advances to Step S507.

[Step S505: “Result A” Output Processing]

In Step S505, the result output unit 530 outputs a “0” indicating thatthere has been a hit in the search.

[Step S507: Search Key Index Update Processing]

In Step S507, the search determination unit 520 adds one to each elementof the set Iv of the indices included in the search key TD_(v) acquiredin Step S501. Further, the search determination unit 520 adds one to theindex t of each search vector k*_(t) included in the search key TD_(v).

[Step S508: Search End Determination Processing]

In Step S508, when the maximum index included in the set Iv of indicesincluded in the search key TD_(v) updated in Step S507 is equal to orless than the maximum index included in the set Ix of indices includedin the encrypted tag ET_(x) acquired in Step S501, the searchdetermination unit 520 advances the processing to Step S502. When thisis not the case, the search determination unit 520 advances theprocessing to Step S506.

[Step S506: “Result B” Output Processing]

In Step S506, the result output unit 530 outputs a “1” indicating thatthere has not been a hit in the search.

That is, the search device 500 searches for an encrypted tag ET_(x)corresponding to the search key TD_(v) by performing a calculation usingthe search vector k*_(t) included in the search key TD_(v) and the tagvector c_(t) included in each encrypted tag ET_(x).

More specifically, the search device 500 searches for an encrypted tagET_(x) corresponding to the search key TD_(v) by calculating an innerproduct of the search vector k*_(t) included in the search key TD_(v)and the tag vector c_(t) which is included in each encrypted tag ET_(x)and which corresponds to the search vector k*_(t).

As described with reference to FIG. 5, the partial match secret searchcan be implemented by calculating the inner product by shifting theindex t of the search vector k*_(t) included in the search key TD_(v)one by one. The update of the index t is a simple index replacement.Therefore, the update does not require special search key conversionprocessing, and the update is fast. Meanwhile, as described withreference to FIG. 6 or FIG. 7, it is not possible to perform the searchafter separating or replacing the search character string, and anunintended search by a malicious third party can be prevented.

In the above description, users who can perform the search are notrestricted, and all users can search for all encrypted tags ET_(x).However, like in Patent Literature 2, for each encrypted tag ET_(x), itis possible to restrict the users who can perform the search bycombining the above-mentioned partial match secret search scheme withthe inner-product predicate encryption method.

<Hardware Configuration of Secret Search System According to FirstEmbodiment>

Next, a hardware configuration example of the secret search system 10according to the first embodiment is described with reference to FIG.17. As described above, the secret detection system according to thefirst embodiment includes the key generation device 100, the encryptedtag generation device 200, the search key generation device 300, and thesearch device 500.

The key generation device 100, the encrypted tag generation device 200,the search key generation device 300, and the search device 500 arecomposed of, for example, a computer.

The key generation device 100, the encrypted tag generation device 200,the search key generation device 300, and the search device 500 includehardware, for example, a processor 901, an auxiliary storage device 902,a memory 903, a communication device 904, an input interface 905, and adisplay interface 906.

The processor 901 is connected to other pieces of hardware via a signalline 910, and is configured to control those other pieces of hardware.

The input interface 905 is connected to an input device 907 by a cable911.

The display interface 906 is connected to a display 908 by a cable 912.

The processor 901 is an integrated circuit configured to performprocessing. The processor 901 is, for example, a central processing unit(CPU), a digital signal processor (DSP), or a graphics processing unit(GPU).

The auxiliary storage device 902 is, for example, a read only memory(ROM), a flash memory, or a hard disk drive (HDD).

The memory 903 is, for example, a random access memory (RAM).

The communication device 904 includes a receiver 9041 configured toreceive data and a transmitter 9042 configured to transmit data. Thecommunication device 904 is, for example, a communication chip or anetwork interface card (NIC).

The input interface 905 is a port to which the cable 911 of the inputdevice 907 is to be connected. The input interface 905 is, for example,a universal serial bus (USB) terminal.

The display interface 906 is a port to which the cable 912 of thedisplay 908 is to be connected. The display interface 906 is, forexample, a USB terminal or a high-definition multimedia interface (HDMI)(trademark) terminal

The input device 907 is, for example, a mouse, a keyboard, or a touchpanel.

The display 908 is, for example, a liquid crystal display (LCD).

The auxiliary storage device 902 is configured to store programs forimplementing the above-mentioned information acquisition unit 110, basegeneration unit 120, key generation unit 140, key output unit 150,information acquisition unit 210, tag generation unit 220, random numbergeneration unit 221, element generation unit 222, encrypted tag outputunit 230, information acquisition unit 310, key generation unit 320,random number generation unit 321, secret value generation unit 322,element generation unit 323, key output unit 330, informationacquisition unit 510, search determination unit 520, and result outputunit 530. In the following, the information acquisition unit 110, thebase generation unit 120, the key generation unit 140, the key outputunit 150, the information acquisition unit 210, the tag generation unit220, the random number generation unit 221, the element generation unit222, the encrypted tag output unit 230, the information acquisition unit310, the key generation unit 320, the random number generation unit 321,the secret value generation unit 322, the element generation unit 323,the key output unit 330, the information acquisition unit 510, thesearch determination unit 520, and the result output unit 530 arecollectively referred to as “each of the units.”

Those programs are loaded onto the memory 903, read by the processor901, and executed by the processor 901.

Further, the auxiliary storage device 902 also stores an operatingsystem (OS).

Then, at least a part of the OS is loaded onto the memory 903, and theprocessor 901 executes the programs for implementing the function of“each of the units” while executing the OS.

In FIG. 17, one processor 901 is illustrated, but the key generationdevice 100, the encrypted tag generation device 200, the search keygeneration device 300, the converted search key generation device 400,and the search device 500 may be composed of a plurality of processors901. Moreover, a plurality of processors 901 may execute in acollaborative manner a program for implementing the function of “each ofthe units.”

Further, information, data, a signal value, and a variable valueindicating the result of processing executed by “each of the units” arestored into the memory 903, the auxiliary storage device 902, or aregister or cache memory included in the processor 901 as files.

Further, “each of the units” may be provided as a “circuitry.” Moreover,the term “unit” of “each of the units” may be read as “circuit,” “step,”“procedure,” or “processing.” The “circuit” and “circuitry” are conceptsthat include not only the processor 901 but also other types ofprocessing circuits such as a logic IC, a gate array (GA), anapplication-specific integrated circuit (ASIC), or a field-programmablegate array (FPGA).

REFERENCE SIGNS LIST

10 secret search system, 100 key generation device, 110 informationacquisition unit, 120 base generation unit, 140 key generation unit, 150key output unit, 200 encrypted tag generation device, 210 informationacquisition unit, 220 tag generation unit, 221 random number generationunit, 222 element generation unit, 230 encrypted tag output unit, 300search key generation device, 310 information acquisition unit, 320 keygeneration unit, 321 random number generation unit, 322 secret valuegeneration unit, 323 element generation unit, 330 key output unit, 500search device, 510 information acquisition unit, 520 searchdetermination unit, 530 result output unit, pk public key, sk secretkey, B, B* base, B{circumflex over ( )}, B{circumflex over ( )}A*partial base, param parameter, Ix, Iv set of indices, x^(→) attributevector, v^(→) predicate vector, k* search vector, ET_(x) encrypted tag,TD_(v) search key

1. A secret search system, comprising: a search key generator configuredto generate a search key TD_(v) in which a position of each character ofa search character string is specified and set; an encrypted taggenerator configured to generate encrypted tags ET_(x) in which aposition of each character of a character-string-to-be-searched isspecified and set; and a search device configured to search for, fromamong the encrypted tags ET_(x), an encrypted tag ET_(x) correspondingto the search key TD_(v), wherein an index t indicating the position ofeach character is set in one of an element included in the search keyTD_(v) and an element included in the encrypted tags ET_(x), and anindex −t having a sign obtained by inverting a sign of the index t isset in the other of the element included in the search key TD_(v) andthe element included in the encrypted tags ET_(x), and wherein thesecret search system is configured to search for the encrypted tagET_(x) corresponding to the search key TD_(v) by, during the search,adding the index t and the index −t set in the search key TD_(v) and theencrypted tags ET_(x) to cancel out the index t and the index −t.
 2. Thesecret search system according to claim 1, wherein the search device isconfigured to search for the encrypted tag corresponding to the searchkey TD_(v) by using an inner-product predicate encryption method forcalculating an inner product of the element included in the search keyTD_(v) and the element included in the encrypted tags ET_(x).
 3. Thesecret search system according to claim 1, wherein the search device isconfigured to perform a search by using a secret value s₀, a firstvariance s_(t) for each index t of t∈Iv, and a second variance τ_(t) foreach index t of t∈Iv, wherein the secret value s₀ and the first variances_(t) satisfy a relationship of s₀=Σ_(t∈IvS) _(t) , wherein the secondvariance τ_(t) satisfies a relationship of 0=Σ_(t∈Ivτ) _(t) , andwherein the Iv is a set of the indices t.
 4. The secret search systemaccording to claim 3, wherein the search key TD_(v) includes: an elementk*₀ which is a vector in a base B*₀ in which the secret value s₀ is set;and for each index t of t∈Iv, an element k*_(t) which is a vector in abase B* in which the first variance s_(t), the second variance τ_(t), anattribute value v_(t), and the index t are set.
 5. The secret searchsystem according to claim 4, wherein the encrypted tag ET_(x) includes:an element c₀ which is a vector in a base B₀ corresponding to the baseB*₀; and for each index t of t∈Ix, an element c_(t) which is a vector ina base B corresponding to the base B* in which an attribute value x_(t)and the index −t are set, and wherein the Ix is a set of the indices t.6. The secret search system according to claim 2, wherein the searchdevice is configured to perform a search by using a secret value s₀, afirst variance s_(t) for each index t of t∈Iv, and a second varianceτ_(t) for each index t of t∈Iv, wherein the secret value so and thefirst variance s_(t) satisfy a relationship of s₀=Σ_(t∈IvS) _(t) ,wherein the second variance T_(t) satisfies a relationship of0=Σ_(t∈Ivτ) _(t) , and wherein the Iv is a set of the indices t.
 7. Thesecret search system according to claim 6, wherein the search key TD_(v)includes: an element k*₀ which is a vector in a base B*₀ in which thesecret value s₀ is set; and for each index t of t∈Iv, an element k*_(t)which is a vector in a base B* in which the first variance s_(t), thesecond variance τ_(t), an attribute value v_(t), and the index t areset.
 8. The secret search system according to claim 7, wherein theencrypted tag ET_(x) includes: an element c₀ which is a vector in a baseB₀ corresponding to the base B*₀; and for each index t of t∈Ix, anelement c_(t) which is a vector in a base B corresponding to the base B*in which an attribute value x_(t) and the index −t are set, and whereinthe Ix is a set of the indices t.
 9. A secret search method, comprising:a search key generation step of generating a search key TD_(v) in whicha position of each character of a search character string is specifiedand set; an encrypted tag generation step of generating a plurality ofencrypted tags ET_(x) in which a position of each character of acharacter-string-to-be-searched is specified and set; and a search stepof searching for, from among the plurality of encrypted tags ET_(x), anencrypted tag ET_(x) corresponding to the search key TD_(v), wherein anindex t indicating the position of each character is set in one of anelement included in the search key TD_(v) and an element included in theplurality of encrypted tags ET_(x), and an index −t having a signobtained by inverting a sign of the index t is set in the other of theelement included in the search key TD_(v) and the element included inthe plurality of encrypted tags ET_(x), and wherein the encrypted tagET_(x) corresponding to the search key TD_(v) is searched for by, duringthe search, adding the index t and the index −t set in the search keyTD_(v) and the plurality of encrypted tags ET_(x) to cancel out theindex t and the index −t.